Home
  /  
Learning Center
  /  
Enterprise risk management (ERM) : What it is and how it works

Enterprise risk management (ERM) : What it is and how it works

Author
Brendan Tuytel
Contributor
Author
Brendan Tuytel
Contributor

Small business owners will be the first to attest to the fact that launching and running a business comes with risks. But it’s impossible to be a value-generating operation without taking on some amount of risk.

While risk is inevitable, savvy businesses find ways to navigate the minefields of their operations by planning for risk and incorporating them into their strategy. To do this, they use enterprise risk management.

Enterprise risk management may not eliminate risk altogether, but it’s the key to saying yes to more high value opportunities and maximizing returns in the face of possible damage.

Key takeaways

Enterprise risk management (ERM) is a framework of identifying and planning for risk.

The most commonly used framework is the COSO ERM framework with five main components.

ERM takes into consideration a business’s goals and risk appetite to create a strategy that creates the most value without exceeding the business’s risk tolerance.

What is enterprise risk management (ERM)?

Enterprise risk management (ERM) refers to the practice of identifying, assessing, and planning for risks that could impact the organization’s ability to hit their goals.

As businesses plan for their future, there will always be uncertainty including factors that are beyond the business’s control. Enterprise risk management aims to find these risk factors and incorporate them into their strategic planning.

By identifying the risks and outlining a plan to deal with them, the business is set up to succeed despite the potential disruptions faced.

Steps of enterprise risk management (ERM)

What is the enterprise risk management process?

Enterprise risk management takes on a similar shape across all business types. It can be broken up into a six step process.

1. Risk identification

The first step is always identifying the potential risks that could get in the way of the business hitting its goals.

This step is a collaborative effort of people from different departments in the organization brainstorming and interviewing external partners to create a list of all identified risks called a “risk inventory.”

The risk inventory is then broken up into individual categories. Some examples of categories within a risk inventory include strategic risks, operational risks, financial risks, and reputational risks.

2. Risk assessment

For each risk that was identified, the organization defines the likelihood and potential impact. 

Risk assessment is a combination of using qualitative and quantitative methods. Qualitative is a non-numerical approach like somebody assigning a risk value based off of their instincts. Quantitative is a numerical approach which uses statistical models and data to find values.

As each risk is assigned probability and impact values, they should be sorted by the highest risk potential and impact to the lowest. This ranking will go from your top priority (highest risk, highest impact) to the lowest priority (lowest risk, lowest impact).

3. Risk responses

Working down the risk assessment list, the organization defines how it should address each risk.

There are four different strategies that can be used:

  • Avoidance: Steps are taken to eliminate any potential causers of the risk so it’s no longer a possibility
  • Mitigation: Steps are taken to reduce the possibility of the risk happening or reduce the potential impact
  • Transference: The risk is transferred to a third party, like getting insurance or using a contractor to complete a high risk step in the process
  • Acceptance: The risk is accepted as inevitable and the business commits to monitoring the situation to confirm the risk impact is not worse than expected

After defining which approach you’ll take for each risk, it’s time to drill down into how exactly that would be done, or a risk management plan. There should be a clear, actionable plan by the end of this step.

4. Risk integration

With the risks and strategies identified, the business then integrates their risk management plan into the overall strategy and decision-making process.

Everyone in the organization should be aware of the work that’s been done and aware of what their responsibilities are. Assign roles for people who will be accountable for each risk and accompanying strategy.

If there’s a financial component to the risk, it should be included in the financial forecast and budget for upcoming periods.

5. Risk monitoring and reporting

As time progresses, it’s necessary to track the risks and whether the action plan provided the anticipated results.

Reports should outline each of the risks, key risk indicators (KRIs) that measure whether the risk occurred and what its impact was, and identify any new risks that have arisen.

If new risks are identified, they should be added to the risk inventory, assessed, and have an action plan.

6. Evaluation and improvement

Equally important to monitoring and adapting is evaluating your enterprise risk management process, taking feedback, and changing your approach.

Take note of where your approach was ineffective. Some things you should review for are:

  • Did you miss any risks that impacted the business?
  • Did you over or underestimate any risk impact?
  • Did your strategies successfully manage the risk?
  • Was the business adaptable with any risks identified throughout the year?

The answers you have to the questions above and others will guide the future of your enterprise risk management practice.

Automate your financial operations—demo BILL today.
Demo

What are the 5 components of ERM?

We’ve reviewed the step-by-step process of enterprise risk management, another way of looking at the practice is by breaking it up into components. The most common framework in ERM is the COSO ERM framework, which is made up of the following five components.

Governance and culture

Governance and culture refers to the organization’s structure and tone surrounding risk. The purpose of this component is to promote risk-awareness and buy-in throughout the organization. 

Enterprise risk management is a company-wide practice. Everyone should have clear roles, policies, and responsibilities to rally around and execute on.

Strategy and objective setting

Every business will have different tolerance levels for how much risk they’re willing to take on—also called the “risk appetite.”

Strategy and objective setting starts by defining the risk appetite. A business with high risk appetite is willing to take on additional risk in the pursuit of value while a business with low risk appetite may forgo value generating activity if it comes with risk.

Once the level of risk appetite is defined, the business’s strategies and goals are built on that principle. If the risk appetite is low, the business should focus on building a conservative strategy with risks that can be easily avoided or mitigated.

If the strategy is high risk but the risk appetite is low, the business should go back to the drawing board and try to build up a strategy that takes on less risk.

Performance for compliance risks

After the strategy and objectives are defined, the organization goes through the internal and external risk factors to analyze their likelihood and potential impact.

Similar to steps 1 and 2 in the above step-by-step process, risk likelihood and impact should be defined by both qualitative and quantitative methods, then ranked from the highest risk to lowest risk.

The COSO ERM framework recommended approach is to use a 5-point scale for the likelihood and impact of risks. For likelihood, a 5 is nearly certain while a 1 is very rare and for impact, 5 is catastrophic while 1 is an insignificant impact.

Then each risk is placed on a likelihood vs impact matrix. A likelihood of 1 and an impact of 1 is low risk (or low priority) while a likelihood of 5 and an impact of 5 is high risk (or high priority).

COSO ERM Framework

It’s also best practice to categorize risks into different types of risk (e.g. strategic, operational, financial), each with an accountable stakeholder (or stakeholders) to prioritize and manage them.

Working from highest priority to lowest priority, the organization defines a risk response strategy. The risk response strategy should closely align with the governance, culture, strategy, and objectives that were previously defined.

Also defined are the resources needed for the chosen strategy. The organization may want to weigh the costs of the strategy against the potential impact to determine whether their chosen approach makes sense from a dollars perspective.

Review and revision for compliance risks

Given that the risk environment is constantly changing, the organization needs to consistently assess for substantial changes, review their performance, and revise their strategy as needed.

Some factors to consider are:

  • Changes to the overarching strategy and objectives
  • Changes to the people, processes, or technology
  • Changes to regulations or societal expectations

If any of the factors have shifted, the enterprise risk management strategy needs to change to reflect that. Similarly, if the enterprise risk management strategy is ineffective, the organization needs to perform an internal audit to understand why and change the strategy based on its findings.

Monitoring, communication, and reporting

The final component outlines how the organization will track the performance of their enterprise risk management strategy, who’s responsible for communicating this information, and on what cadence this process is being performed.

Risks are typically monitored through key risk indicators (or KRIs). These are measurable metrics that represent whether the potential risk has been realized and impacted the business.

As an example, if a business is monitoring the risk of running out of inventory and no longer make sales, the associated KRIs would be inventory count and sales revenue from that product.

House these KRIs in a dashboard or customized report to monitor all risks and their impacts at a glance.

Communication about KRIs to the wider organization should be happening on a regular cadence. Whether it’s monthly, weekly, or even daily for fast-paced operations, everyone should be provided with updated information so changes can be made as soon as possible.

Challenges associated to ERM process

From experienced practitioners to first-timers, here are four common challenges organizations face in the enterprise risk management process.

Lack of leadership support

Enterprise risk management comes from the top down. If leadership doesn’t buy into the enterprise risk management process, there won’t be sufficient resources and time dedicated to executing effectively.

There’s also the optics of leadership buy-in. If the leaders don’t take the process seriously, it’s unlikely others within the organization will.

Time and resource constraints

The enterprise risk management process isn’t an easy one. Much of it involves brainstorming, ideating, and analyzing potential risk factors before coming up with potential strategies.

If there isn’t a dedicated time and financial backing, the process isn’t going to be accurate or fruitful. Similarly, if there isn’t time and financial backing for the suggested solutions, the process won’t deliver results.

Difficulty in identifying and assessing risk

There’s two components to assessing risk: identifying the risk and identifying the impact. In many cases, this isn’t easy to do.

For example, say a business is looking to use a new supplier who is cheaper, but has quality control issues. How would you go about quantifying the impact of the risk? Is it possible to predict the potential impact on the business’s reputation, let alone the financial ramifications of returns and unhappy customers?

There’s also the difficulty in identifying emerging risks. Predicting risks requires having a keen sense for both economic and societal trends.

Access to data

For both the risk identification phase and the reporting phase, having access to data is necessary for measuring the anticipated and actual impact of the risk.

Some data is going to be difficult to access if you don’t already have a solution in place. For example, measuring an impact to the business’s reputation may require a new solution to measure NPS (net promoter score).

How to implement the enterprise risk management framework

Ready to implement an enterprise risk management framework? Follow these steps to get started.

Goal setting

Start by writing down the business’s long-term mission and goals in a few sentences or bullet points. From there, you should be able to define the business’s risk appetite to determine just how much risk it’s willing to take on.

Collaborate with people across the business to get organizational alignment on both factors. Once everyone has bought in, set measurable objectives that you’re hoping to achieve with the ERM process.

Risk identification

Run brainstorming sessions where everyone has an opportunity to ideate, discuss, and categorize risks. Try to provide some information to build off of, like past data and industry reports that can act as a stepping stone.

At the end of the process, you should have a populated risk inventory that’s ready to be worked off of.

Risk assessment

Use a framework for assessing risks and their impacts, like the COSO 5-point system or a SWOT analysis. After going through the assessment process for each risk, you should have a clearly ranked list of risks from highest priority to lowest.

As you work through each risk, try to identify potential interconnectivity between risks that may affect your approach. A low priority risk may impact a high priority risk and should be moved up the ranking accordingly.

The document used for this process should be stored in a centralized process so everyone has access and knows what to prioritize.

Risk response

Start by defining whether the appropriate response is to avoid, mitigate, transfer, or accept the risk. Once that’s done, create an actionable plan that reflects the response.

List out the resources necessary to achieve the response. If the costs end up outweighing the potential impact of the risk, you may want to change your chosen response (e.g. moving from avoidance to mitigation if it’s too costly to eliminate the risk completely).

For the highest impact risks, you may want to have contingency plans for if the first response is ineffective.

Monitoring

Establish key risk indicators (KRIs) and metrics that measure the efficacy of your enterprise risk management strategy. Reviews should be conducted regularly to ensure the strategy is having its intended effect.

Consider building out a dashboard that houses all the KRIs for quick reference for anyone in the organization.

Part of the monitoring process is also monitoring shifts in social and economic behavior. If new risks emerge or if shifts affect the impact and likelihood of risks already planned for, you may need to change your existing strategy.

Automating reporting in ERM

Understanding risk and its potential impacts is driven by reporting. And the less time you spend on creating and updating reports, the more time you have to focus on analyzing, adjusting, and adapting to the latest information.

With BILL, you get a full suite of reporting tools including forecasting and budgeting that helps you plan for risk and build out strategies that minimize its impact. Using integrations with some of the most commonly used accounting technology, all reports and metrics are updated without lifting a finger.

Schedule a demo and understand how BILL fits into your enterprise risk management process.

Start using BILL today.
Sign up
Author
Brendan Tuytel
Contributor
Brendan Tuytel is a freelance writer, who writes content for BILL. He draws from his studies of economics and multiple years of bookkeeping experience where he helped businesses understand and measure their financial health.
Author
Brendan Tuytel
Contributor
Brendan Tuytel is a freelance writer, who writes content for BILL. He draws from his studies of economics and multiple years of bookkeeping experience where he helped businesses understand and measure their financial health.
Business Basics

Continue learning with BILL

Dashboard mockup
BILL and its affiliates do not provide tax, legal or accounting advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on, for tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction. BILL assumes no responsibility for any inaccuracies or inconsistencies in the content. While we have made every attempt to ensure that the information contained in this site has been obtained from reliable sources, BILL is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information in this site is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied. In no event shall BILL, its affiliates or parent company, or the directors, officers, agents or employees thereof, be liable to you or anyone else for any decision made or action taken in reliance on the information in this site or for any consequential, special or similar damages, even if advised of the possibility of such damages. Certain links in this site connect to other websites maintained by third parties over whom BILL has no control. BILL makes no representations as to the accuracy or any other aspect of information contained in other websites.